Electronic casino gaming with authentication and improved security

ABSTRACT

A gaming machine is described in which all interested parties to a game program to run on the gaming machine, will digitally sign each piece of approved program prior to installation. These signatures are stored with the program on a mass storage device inside the gaming machine. When the machine needs to load a piece of program, or upon an external command after a significant event such as a jackpot payout, it will execute the SHA-1 program code in the EPROM on the program being loaded, and then perform a DSA verification operation using the SHA-1 output as one of the parameters. The DSA verification operation will be repeated for every digital signature stored with the program, and all must be valid, so that it is impossible to execute program code that has not been approved by the manufacturer, the jurisdictional authority and optionally the casino and/or other parties.

INTRODUCTION

The present invention relates generally to electronic gaming machines orconsoles and in particular the invention provides an improved system forexecuting casino games in RAM as opposed to the conventional unalterableROM. The improvements provide an authentication process based upondigital signatures, with the U.S. Digital Signature Standard (DSS) beingthe preferred means of implementation.

For the sake of clarity the following terms are defined for the purposeof this specification.

A gambling machine, usually referred to as a gaming machine, is atraditional gaming machine. Typical examples include slot machines ofthe type made by Aristocrat Leisure Industries or IGT.

A casino refers to the operator of gambling machines.

A digital signature is a pair of large numbers represented in a computeras strings of binary digits. The digital signature is computed using aset of rules (i.e., the DSA) and a set of parameters such that theidentity of the signatory and integrity of the data can be verified.

Strong encryption is the encryption of data such that it iscomputationally infeasible for a third party—for example a governmentagency—to retrieve the encrypted data without a key.

A hash, or message digest, is the output from a function that produces avalue that is unique for any message input into it. A one-way hashproduces an output that is computationally difficult to relate to theinput. It is also computationally difficult to produce two differentmessages with the same message digest.

An unforgeable log is produced by chaining together hash values suchthat the nth entry in the log is dependent on the (n−1)'h entry, andthus previous entries cannot be altered without re-computing the wholechain.

A logic cage is a secure area inside the gaming machine that cannot beaccessed without sufficient security clearance.

REFERENCES

“The Digital Signature Standard” U.S. Federal Information ProcessingStandards Publication 186

“The Secure Hash Standard” U.S. Federal Information Processing StandardsPublication 180-1

“Cryptographic Support for Secure Logs on Untrusted Machines” by BruceSchneier and John Kelsey (available athttp://www.counterpane.com/secure-logs. html)

BACKGROUND OF THE INVENTION

Traditionally, microprocessor based gaming machines store their programcontents in unalterable ROM or EPROM. During installation and after alarge jackpot payout, the machine is physically inspected and the EPROMsare removed. These EPROMs are placed in a verification device whichproduces an output string using a known algorithm usually referred to asa hash function. This string is compared against a string that has beenalready generated when the game program was approved by the gamingjurisdiction. Authentication is achieved by a match of the approvedstring and the EPROM generated string.

The main disadvantage of such a system is that the current limitedcapacity of EPROM technology ensures that games cannot be assophisticated as if they were stored in an alternative medium such as ahard disk or CD-ROM. The other problem with using RAM is that it cannotbe extracted and placed in a verification device, since the contents ofthe RAM are necessarily volatile.

Another system, disclosed and described in U.S. Pat. No. 5,643,086 usesa private key to encrypt a message digest of the approved copy of theprogram, and thus produce an unalterable digital signature which can bedecrypted with a corresponding public key and compared against a messagedigest generated by an unalterable EPROM in the gaming machine.

The disadvantage of the above invention is that it relies on strongencryption, currently subject to export restrictions from the U.S. andother countries. This program can only be signed by one party and if asingle private key is compromised, the whole system is compromised.

A related problem that exists is that of version control. Once a gamingmachine program is found to be faulty, a modification or ‘patch’ isusually distributed. Unfortunately, conventional EPROM based machines,and the disclosed system above, have no method implemented of ensuringthat the earlier version of the program is not re-installed, eitherdeliberately or by accident, later. Once program is approved, it isimpossible for the machine to revoke that approval. If a rogue elementwas able to ‘sneak past’ a jurisdiction a dubious piece of program,there would be no way to stop it being used in a casino, even afterdetection

SUMMARY OF THE INVENTION

The invention provides a gaming machine with enhanced capability forstoring games due to enhanced security and authentication capabilities.

According to a first aspect the present invention provides aprogrammable controller, including a readable and writable storage meansto hold a program during its execution by the programmable controller,and program authentication means comprising digital signatureverification means which verifies a digital signature associated withthe program and prevents execution of the program if the digitalsignature is not valid.

According to a second aspect the present invention provides a method ofverifying a program or a program component for a programmablecontroller, including a readable and writable storage means to hold aprogram during its execution by the programmable controller, and programauthentication means comprising digital signature verification meanswhich verifies a digital signature associated with the program, and themethod including a step of verifying the digital signature against akey, and preventing execution of the program if the digital signature isnot valid.

Preferably, the digital signature is generated by a method that does notinclude encryption such that de-encryption is not performed during thedigital signature verification.

According to a third aspect the present invention provides aprogrammable controller, including a readable and writable storage meansto hold a program during its execution by the programmable controller,and program authentication means comprising digital signatureverification means which verifies each of a plurality of digitalsignatures associated with the program and prevents execution of theprogram if any one of the digital signatures is not valid.

According to a fourth aspect the present invention provides a method ofverifying a program or a program component for a programmablecontroller, including a readable and writable storage means to hold aprogram during its execution by the programmable controller, and programauthentication means comprising digital signature verification meanswhich verifies each of a plurality of digital signatures associated withthe program, and the method including steps of verifying each of thedigital signatures against a respective key, and preventing execution ofthe program if any one of the digital signatures is not valid.

Preferably the or each digital signature is generated by a method thatdoes not include encryption such that de-encryption is not performedduring the digital signature verification.

In one embodiment, the programmable controller is used to control theoperation of a game played on an electronic gaming machine and thesigned program is a game program or a component of a game program.

Preferably multiple signatures may be applied to the game program, toensure that only program approved by not only the manufacturer, but alsothe jurisdictional authority and optionally the casino itself, isexecuted by the machine

Preferably also a system is provided for revoking signature keys. Thiscan be password based—a password is entered which allows one of thepublic signatures stored in the machine to be changed. Alternatively, arevocation certificate can be used, which must be valid, or therevocation system can be time based, where the machine stores a set ofsignatures, good for say 10 years, and the current active signature isbased upon the current system clock.

A system of equivalent signatures is also preferably provided, such thatany one of these signatures can be used as part of the verification.Ideally a manufacturer will have at least one signature for its officein each jurisdiction. Any one could be used to sign a game, but it wouldbe apparent in the event of a problem where the responsibility wouldlie, and could be revoked easily.

Preferably a system for version control is also included, such that oncea later version of program runs on a gaming machine it is thenimpossible to run an earlier version of the same program. This wouldpreferably permanently revoke faulty games once a fix had been issued.

Preferably any signature and version changes are held in secureunforgeable logs updated after each change to help detect possiblefraud. Preferably also the unforgeable logs are implemented usingtamper-proof devices such as smartcards to ensure that the log can neverbe deleted.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the present invention will now be described by way ofexample with reference to the accompanying drawings in which:

FIG. 1 illustrates a conventional gaming machine in which the presentinvention may be implemented;

FIG. 2 is a block diagram of a control unit according to the presentinvention;

FIG. 3 is a diagrammatic representation of a method of signaturegeneration and verification according to the present invention;

FIG. 4 is a flow diagram of a program approval process according to thepresent invention; and

FIG. 5 is a flow diagram illustrating a method of executing approvedprogram according to the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

In the following detailed description the methodology of the embodimentswill be described, and it is to be understood that it is within thecapabilities of the non-inventive worker in the art to introduce themethodology on any standard microprocessor-based gaming machine orgaming console by means of appropriate programming.

Referring to FIG. 1 of the drawings, the first embodiment of theinvention is illustrated in which a slot machine 40, of the type havinga video display screen 41 which displays a plurality of rotatable reels42 carrying symbols 43, is arranged to pay a prize on the occurrence ofa predetermined symbol or combination of symbols.

In the slot machine 40 illustrated in FIG. 1, the game is initiated by apush button 44, however, it will be recognized by persons skilled in theart that this operating mechanism might be replaced by a pull handle orother type of actuator in other embodiments of the invention. The topbox 45 on top of the slot machine 40 carries the artwork panel 35 whichdisplays the various winning combinations for which a prize is paid onthis machine.

The program which implements the game and user interface is run on astandard gaming machine control processor 100 as illustratedschematically in FIG. 2. This processor forms part of a controller 110which drives the video display screen 141 and receives input signalsfrom sensors 144. The sensors 144 may be touch sensors, however, inalternative embodiments these may be replaced by a pull handle oranother type of actuator such as button 44 in FIG. 1. The controller 110also receives input pulses from a mechanism 120 indicating the user hasprovided sufficient credit to begin playing. The mechanism 120 may be acoin input chute, a bank note acceptor (bill acceptor), a credit cardreader, or other type of validation device. The controller 120 alsodrives a payout mechanism 130 which for example may be a coin output.

The controller 110 also includes ROM 170 in which fixed and secureprogram components are held. This ROM may also contain part or all of aprogram to perform a program verification function for programs runningon the CPU 100 out of RAM 150 or loaded onto or from the disk 160.

Alternatively, the program verification may be performed by a standalone verification system 140 interposed between the RAM 150, the disk160 and the CPU 100. The verification system may make use of a tamperproof storage element such as a smart card 180 (or a device containing asmart card chip, or the verification system 140 may itself beimplemented as a smart card or smart card chip in which case, it willnot require the separate smart card 180. An Input/Output function 190 isalso provided for the CPU to communicate with a gaming machine networkfor administration participation in system wide prizes and bonuses andfor downloading of game programs.

The game played on the machine shown in FIGS. 1 and 2 is a relativelystandard game which includes a 3 by 5 symbol display and allows multiplepay lines.

Slot machines such as those of the type described with reference toFIGS. 1 and 2 can be adapted to embody the present invention withgenerally only a program change to modify the functions of some of theuser interfaces of the machine.

The system, when built will consist of an electronic gaming machine,with standard features such as graphics capability, a monitor, soundoutput and interfaces to gaming hardware such as hoppers, bill acceptorsetc. The gaming machine would also have a sophisticated centralprocessor, say a Pentium or PowerPC for example, with a large amount ofRAM, a storage device such as a hard disk, CD-ROM or remote networkstorage and optionally a smartcard interface.

The machine would furthermore have an unalterable EPROM which would havestored in it program code to perform the DSS algorithm, also know as theDSA. It would also contain code to perform the Secure Hash Algorithm(SHA-1), the designated U.S. Federal standard message digest algorithm.This EPROM would be able to be extracted and inspected by thetraditional means. In alternative implementations, other digitalsignature algorithms could be used such as GOST, ESIGN or even thepreviously disclosed RSA method which requires encryption.

FIG. 3, copied from the U.S. Federal standard FIPS 180-1, describes theoperations that produce and verify a digital signature using DSA andSHA-1. An important distinguishing characteristic of this system is thatit does not use encryption to produce a digital signature. It is thusnot subject to export restrictions from the US and other countries.

Each set of program that is to be installed in any gaming machine atpresent must be approved, both by the gaming jurisdictional authorityand by the machine manufacturer. It also may need to be approved by thecasino in which the machine will reside. In the preferredimplementation, all interested parties will digitally sign each piece ofapproved program prior to installation. The process of game programbeing produced, approved and authenticated would proceed as in FIG. 4.

These signatures will be stored with the program on a mass storagedevice inside the gaming machine. When the machine needs to load a pieceof program, or upon an external command after a significant event suchas a jackpot payout, it will execute the SHA-1 program code in the EPROMon the program being loaded, and then perform a DSA verificationoperation using the SHA-1 output as one of the parameters. The DSAverification operation will be repeated for every digital signaturestored with the program, and all must be valid, so that it is impossibleto execute program code that has not been approved by the manufacturer,the jurisdictional authority and optionally the casino and/or otherparties. The process of executing pre-approved program would proceed asin FIG. 5.

A significant benefit of multiple signatures, as opposed to otherdisclosed systems which use only one, is that it protects all partiesfrom a rogue element working within either the manufacturer, thejurisdiction or the casino. To successfully install a fraudulent pieceof program in a gaming machine that uses this system would require aconcerted conspiracy involving trusted personnel working for allparties.

To perform the digital signature verification, it is also necessary thatthe machine store public keys for the appropriate parties—jurisdiction,casino and manufacturer. In the preferred implementation, these keys arestored in EEPROM, which can be modified at suitable times by a programstored in the EPROM, under strict security conditions. This enablessignatures to be revoked if compromised, or periodically updated. In analternative implementation, a plurality of signature public keys arestored in the unalterable EPROM and variables stored in EEPROM indicatewhich of these signatures are active. In another alternativeimplementation, a tamper-proof device such as a smartcard stores thepublic keys. The program code in the EPROM passes the output from theSHA-1 algorithm to the smartcard along with the signature values storedwith the program. The smartcard then performs the DSS or other signatureverification and returns either an authentication or denial code to thegaming machine. Once revoked, the smartcard will not allow keys to bere-enabled.

Since it will be possible to change the digital signatures thatauthenticate program running in the machine, it is important that anunforgeable log is kept of all program changes or signature changes.This can be achieved by the use of a hash chain, where every entry inthe log is ‘hashed’ with the previous log entry's hash value. In apreferred implementation, this hash chain, or the most recent part ofit, is stored within a tamper-proof device such as a smartcard or thetraditionally used logic cage. A smartcard is preferred, since it canhave a secret, unique identification code, and is thus non-reproducibleand unforgeable itself. Program code stored in the unalterable EPROMaccesses the smartcard during signature or program update. Since thelatest hash value would always be stored on the smartcard, it would beimpossible to change the program without creating a log entry. Thiswould ensure that all modifications to the program stored on the machinewas accurately logged which L would be extremely useful in the event ofa major jackpot payout. The EPROM can be proven to be unaltered by I theconventional means of placing it in a verification device.

A more detailed description of a possible implementation of a hash-chainunforgeable log can be found in the paper “Cryptographic Support forSecure Logs on Untrusted Machines”—see references above.

Each signature for a file would be linked to the file, but need not becontained within the file. In the event of a signature key revocation,new signatures may have to be downloaded from a network device or usingthe machine's operator mode. In this case the new signatures beingdownloaded would indicate which file they are to attach to, and whichsignature they replace. This would be more economical thanre-downloading the whole program set upon a signature key change.

In an alternative implementation, multiple public keys for eachcorresponding signature are stored. At any one time, only one for eachinterested party would be active. The schedule for selecting whichpublic keys are active could be time-based, so signatures would ineffect have a lifetime. Periodically, the machine would have to beupdated with the new signatures as either a maintenance task or upon thepayments of an additional license fee to the manufacturer orjurisdiction.

In the event of an authentication failure due to signatures (andtherefore the license to run the program) expiring, it could beimplemented that the casino would have a ‘grace’ period to obtain newkeys before the machine completely refused to run the program. Forexample, the machine could display a notice, similar to that found oncomputer shareware products, informing of the license expiry that wouldhave to be manually accepted by the machine operator every time themachine was reset.

In the alternative implementation, it would also be possible to havemultiple signatures active for each party at any one time. Onepossibility would be that these would correspond to different divisionswithin the manufacturer or jurisdiction. This would aid tracing in theevent of a program or security failure.

Another security aspect that will be implemented in the gaming machineis the concept of version control. Each digitally signed piece ofprogram stored on the mass storage device within the machine will havean associated identification code and version number. It will beimpossible to download program with a corresponding identification codeand an earlier version number.

It will be appreciated by persons skilled in the art that numerousvariations and/or modifications may be made to the invention as shown inthe specific embodiments without departing from the spirit or scope ofthe invention as broadly described. The present embodiments are,therefore, to be considered in all respects as illustrative and notrestrictive.

What is claimed is:
 1. A programmable controller, including a readableand writable storage means to hold a program during its execution by theprogrammable controller, and program authentication means comprisingdigital signature verification means which verifies a digital signatureassociated with the program and prevents execution of the program if thedigital signature is not valid, the digital signature being generated bya method that does not include encryption such that de-encryption is notperformed during the digital signature verification.
 2. The controlleras claimed in claim 1, wherein a plurality of signatures are applied tothe program.
 3. The controller as claimed in claim 2, wherein each ofthe equivalent signatures is identifiable as being associated with aperson or entity responsible for issuing or authorizing the program. 4.The controller as claimed in claim 1, wherein the signature verificationmeans stores one or more public signature keys in secure storage anduses a public signature key from the secure storage to verify thedigital signature associated with the program.
 5. The controller asclaimed in claim 4, wherein the signature verification means includessignature revocation means for removing public signature keys from a setof valid keys as a method of revoking signature keys.
 6. The controlleras claimed in claim 5, wherein the signature revocation means isactivated by a password such that when the password is entered it allowsa particular public signature stored in the verification means to bechanged or deleted.
 7. The controller as claimed in claim 5, wherein adigital revocation certificate can be used, which must be validated bythe validation means before it causes a public signature key to berevoked.
 8. The controller as claimed in claim 5, wherein revocation istime based, whereby the machine stores a set of public signature keys,which are valid for a fixed period of time, after which they areautomatically revoked.
 9. The controller as claimed in claim 8, whereinthe fixed period before automatic revocation is a period of 10 years.10. The controller as claimed in claim 8, wherein identification of acurrent active public signature is based upon comparison of a time stampembedded in the signature with a time and date obtained from a currenttime value from a system clock.
 11. The controller as claimed in claim4, wherein a plurality of equivalent signatures are provided in thesecure storage, such that any one of the equivalent signatures can beused as part of the verification authorization.
 12. The controller asclaimed in claim 11, wherein each of the equivalent signatures isidentifiable as being associated with a person or entity responsible forissuing or authorizing the program.
 13. The controller as claimed inclaim 1, wherein the programmable controller is used to control theoperation of a game played on an electronic gaming machine and theprogram with which the digital signature is associated is a game programor a component of a game program.
 14. The electronic gaming machine asclaimed in claim 13, wherein the digital signature is applied to theprogram by or on behalf of a manufacturer of the electronic gamingmachine.
 15. The controller as claimed in claim 13, wherein the digitalsignature is applied to the program by or on behalf of a jurisdictionalauthority that has jurisdiction to authorize use of the game in alocation in which the game is installed.
 16. The controller as claimedin claim 13, wherein the digital signature is applied to the program byor on behalf of a casino in which the electronic gaming machine isinstalled.
 17. The controller as claimed in claim 1, wherein thesignature verification means stores one or more public signature keys insecure storage and uses a public signature key from the secure storageto verify the digital signature associated with the program.
 18. Thecontroller as claimed in claim 17, wherein the signature verificationmeans includes signature revocation means for removing public signaturekeys from a set of valid keys as a method of revoking signature keys.19. The controller as claimed in claim 18, wherein the signaturerevocation means is activated by a password such that when the passwordis entered it allows a particular public signature stored in theverification means to be changed or deleted.
 20. The controller asclaimed in claim 18, wherein a digital revocation certificate can beused, which must be validated by the validation means before it causes apublic signature key to be revoked.
 21. The controller as claimed inclaim 18, wherein revocation is time based, whereby the machine stores aset of public signature keys, which are valid for a fixed period oftime, after which they are automatically revoked.
 22. The controller asclaimed in claim 21, wherein the fixed period before automaticrevocation is a period of 10 years.
 23. The controller as claimed inclaim 21, wherein identification of a current active public signature isbased upon comparison of a time stamp embedded in the signature with atime and date obtained from a current time value from a system clock.24. The controller as claimed in claim 17, wherein a plurality ofequivalent signatures are provided in the secure storage, such that anyone of the equivalent signatures can be used as part of the verificationauthorization.
 25. The controller as claimed in any one of claim 1,wherein the verification program records versions of a program that havebeen verified and will not re-verify versions earlier than the latestversion that it has already verified.
 26. The controller as claimed inclaim 25, wherein the record of verified program versions is stored in asecure log and entries in the record are unforgable and unalterableafter being written.
 27. The controller as claimed in claim 26, whereina record of digital signature key updates is kept in the secure log. 28.The controller as claimed in claim 26, wherein the secure log isrecorded in a tamper proof device.
 29. The controller as claimed inclaim 28, wherein the tamper proof device is a smartcard or contains asmartcard chip.
 30. A programmable controller, including a readable andwritable storage means to hold a program during its execution by theprogrammable controller, and program authentication means comprisingdigital signature verification means which verifies each of a pluralityof digital signatures associated with the program and prevents executionof the program if any one of the digital signatures is not valid. 31.The controller as claimed in claim 30, wherein the programmablecontroller is used to control the operation of a game played on anelectronic gaming machine and the program with which the digitalsignature is associated is a game program or a component of a gameprogram.
 32. The controller as claimed in claim 2, wherein one of thedigital signatures is applied to the program by or on behalf of amanufacturer of the electronic gaming machine.
 33. The controller asclaimed in claim 2, wherein one of the digital signatures is applied tothe program by or on behalf of a jurisdictional authority that hasjurisdiction to authorize use of the game in a location in which thegame is installed.
 34. The controller as claimed in claim 2, wherein oneof the digital signatures is applied to the program by or on behalf of acasino in which the electronic gaming machine is installed.
 35. Thecontroller as claimed in any one of claim 30, wherein the verificationprogram records versions of a program that have been verified and willnot re-verify versions earlier than the latest version that it hasalready verified.
 36. The controller as claimed in claim 35, wherein therecord of verified program versions is stored in a secure log andentries in the record are unforgable and unalterable after beingwritten.
 37. The controller as claimed in claim 36, wherein a record ofdigital signature key updates is kept in the secure log.
 38. Thecontroller as claimed in claim 36, wherein the secure log is recorded ina tamper proof device.
 39. The controller as claimed in claim 38,wherein the tamper proof device is a smartcard or contains a smartcardchip.
 40. A method of verifying a program or a program component for aprogrammable controller, including a readable and writable storage meansto hold a program during its execution by the programmable controller,and program authentication means comprising digital signatureverification means which verifies a digital signature associated withthe program, the digital signature being generated by a method that doesnot include encryption and the method including a step of verifying thedigital signature against a key, in which de-encryption is not performedduring the digital signature verification, and preventing execution ofthe program if the digital signature is not valid.
 41. The method asclaimed in claim 40, a plurality of signatures are applied to theprogram.
 42. The method as claimed in claims 40, wherein theprogrammable controller is used to control the operation of a gameplayed on an electronic gaming machine and the program with which thedigital signature is associated is a game program or a component of agame program.
 43. The method as claimed in claim 42, wherein one of thedigital signatures is applied to the program by or on behalf of amanufacturer of the electronic gaming machine.
 44. The method as claimedin claim 42, by or on behalf of a jurisdictional authority that hasjurisdiction to authorize use of the game in a location in which thegame is installed.
 45. The method as claimed in claim 42, wherein one ofthe digital signatures is applied to the program by or on behalf of acasino in which the electronic gaming machine is installed.
 46. Themethod as claimed in claim 40, wherein the signature verification meansstores one or more public signature keys in secure storage and uses apublic signature key from the secure storage to verify the digitalsignature associated with the program.
 47. The method as claimed inclaim 46, wherein the signature verification means includes signaturerevocation means for removing public signature keys from a set of validkeys as a method of revoking signature keys.
 48. The method as claimedin claim 47, wherein the signature revocation means is activated by apassword such that when the password is entered it allows a particularpublic signature stored in the verification means to be changed ordeleted.
 49. The method as claimed in claim 47, wherein a digitalrevocation certificate can be used, which must be validated by thevalidation means before it causes a public signature key to be revoked.50. The method as claimed in claim 47, wherein revocation is time based,whereby the machine stores a set of public signature keys, which arevalid for a fixed period of time, after which they are automaticallyrevoked.
 51. The method as claimed in claim 50, wherein the fixed periodbefore automatic revocation is a period of 10 years.
 52. The method asclaimed in claim 50, wherein identification of a current active publicsignature is based upon comparison of a time stamp embedded in thesignature with a time and date obtained from a current time value from asystem clock.
 53. The method as claimed in any one of claims 46; whereina plurality of equivalent signatures are provided in the secure storage,such that any one of the equivalent signatures can be used as part ofthe verification.
 54. The method as claimed in claim 53, wherein each ofthe equivalent signatures is identifiable as being associated with aperson or entity responsible for issuing or authorizing the program. 55.The method as claimed in any one of claims 40, wherein the verificationprogram records versions of a program that have been verified and willnot re-verify versions earlier than the latest version that it hasalready verified.
 56. The method as claimed in claim 55, wherein therecord of verified program versions is stored in a secure log andentries in the record are unforgable and unalterable after beingwritten.
 57. The method as claimed in claim 56, wherein a record ofdigital signature key updates is kept in the secure log.
 58. The methodas claimed in claim 57, wherein the tamper proof device is a smartcardor contains a smartcard chip.
 59. The method as claimed in claim 56,wherein the secure log is recorded in a tamper proof device.
 60. Amethod of verifying a program or a program component for a programmablecontroller, including a readable and writable storage means to hold aprogram during its execution by the programmable controller, and programauthentication means comprising digital signature verification meanswhich verifies each of a plurality of digital signatures associated withthe program, and the method including steps of verifying each of thedigital signatures against a respective key, and preventing execution ofthe program if any one of the digital signatures is not valid.
 61. Themethod as claimed in claim 60, wherein the programmable controller isused to control the operation of a game played on an electronic gamingmachine and the program with which the digital signature is associatedis a game program or a component of a game program.
 62. The method asclaimed in claim 61, wherein one of the digital signatures is applied tothe program by or on behalf of a manufacturer of the electronic gamingmachine.
 63. The method as claimed in claim 61, wherein one of thedigital signatures is applied to the program by or on behalf of ajurisdictional authority that has jurisdiction to authorize use of thegame in a location in which the game is installed.
 64. The method asclaimed in claim 61, wherein one of the digital signatures is applied tothe program by or on behalf of a casino in which the electronic gamingmachine is installed.
 65. The method as claimed in claim 61, wherein thesignature verification means stores one or more public signature keys insecure storage and uses a public signature key from the secure storageto verify the digital signature associated with the program.
 66. Themethod as claimed in claim 65, wherein the signature verification meansincludes signature revocation means for removing public signature keysfrom a set of valid keys as a method of revoking signature keys.
 67. Themethod as claimed in claim 66, wherein the signature revocation means isactivated by a password such that when the password is entered it allowsa particular public signature stored in the verification means to bechanged or deleted.
 68. The method as claimed in claim 66, wherein adigital revocation certificate can be used, which must be validated bythe validation means before it causes a public signature key to berevoked.
 69. The method as claimed in claim 66, wherein revocation istime based, whereby the machine stores a set of public signature keys,which are valid for a fixed period of time, after which they areautomatically revoked.
 70. The method as claimed in claim 69, whereinthe fixed period before automatic revocation is a period of 10 years.71. The method as claimed in claim 69, wherein identification of acurrent active public signature is based upon comparison of a time stampembedded in the signature with a time and date obtained from a currenttime value from a system clock.
 72. The method as claimed in any one ofclaims 65, wherein a plurality of equivalent signatures are provided inthe secure storage, such that any one of the equivalent signatures canbe used as part of the verification.
 73. The method as claimed in claim72, wherein each of the equivalent signatures is identifiable as beingassociated with a person or entity responsible for issuing orauthorizing the program.
 74. The method as claimed in any one of claims60, wherein the verification program records versions of a program thathave been verified and will not re-verify versions earlier than thelatest version that it has already verified.
 75. The method as claimedin claim 74, wherein the record of verified program versions is storedin a secure log and entries in the record are unforgable and unalterableafter being written.
 76. The method as claimed in claim 75, wherein arecord of digital signature key updates is kept in the secure log. 77.The method as claimed in claim 75, wherein the secure log is recorded ina tamper proof device.
 78. The method as claimed in claim 77, whereinthe tamper proof device is a smartcard or contains a smartcard chip.